Re: StackGuard: Automatic Protection From Stack-smashing Attacks

[smb () RESEARCH ATT COM (Steve Bellovin)]

         > StackGuard: Automatic Detection and Prevention of Buffer-Overflow At
        tacks

         >From the online paper:
         > StackGuard detects and defeats stack smashing attacks by protecting
        the
         > return address on the stack from being altered.  StackGuard has two
         > mechanisms to protect the return address:  one provides greater assu
        rance,
         > and the other provides greater performance.

         You are only protecting the return address.  This means many programs
         will still be vulnerable to overflow attacks.  In particular you
         don't protect the overflow of locals in a procedure, nor the overflow
         of globals in the data segment or heap.  While it does stop the
         "cookbook" stack overflow attacks,  it does not really put an end
         to the problem.  Consider for example the following (contrived but
         not entirely fictional) examples:

               int save_uid;
               char buf[10];

               save_uid = getuid();
               setuid(0);
               fp = fopen("input", "r");
               fscanf(fp, "%s", buf);
               setuid(save_uid);

         overflowing the buffer will allow the user to increase his priveledge
         for the duration of the program execution, which may be a very bad thi
        ng.

Yup.  In fact, the first buffer overflow security problem I know of
was in an early version of UNIX -- 6th Edition, I think; possibly 5th --
where the 'logged in' flag in login.c was adjacent to an input buffer...